Cross-site scripting flaws occur when attacker-controlled data is rendered in a victim's browser. The consequences of a cross-site scripting attack might vary from website defacing to identity theft. Web application developers typically prevent cross-site scripting (XSS) flaws by encoding or replacing potentially dangerous characters from potentially malicious scripts with harmless equivalents, a process known as sanitization. In web applications, sanitization routines vary with respect to the context in which the data is rendered. For example, data rendered in HTML must be sanitized differently than data rendered in JavaScript. Context-sensitive cross-site scripting flaws arise when a sanitizer is used in an inappropriate context. Unfortunately, sanitizer placement in web application code is a highly manual and error-prone process, making it difficult for developers to fully protect their code from XSS attacks. Indeed, a single missing sanitizer is often sufficient to make an application vulnerable to XSS attacks.
Several static and dynamic analysis approaches for the detection of missing sanitizers have been developed in recent years. One of the most successful approaches to detect missing sanitizers is taint analysis, which aims at identifying execution paths in a program where malicious inputs can reach sensitive instructions without being sanitized. Taint analysis thus aims at identifying execution paths that miss a sanitizer. Taint analysis is, however, insufficient to fully protect an application against XSS attacks. Ensuring that user inputs are sanitized before reaching security-sensitive instructions is necessary but not sufficient to prevent XSS flaws.